November 30, 2020

CISO Platform Launches India’s 1st Formal Report On “IT Security Maturity Of The Industry”

Research based on study of around 400 Indian Enterprises across India

ciso Platform,an online social collaboration platform for Cisosenior IT Security Professionals, today announced the official launch of India’s 1st formal report on the IT Security maturity of the industry, based on data from 400+ organizations.

Speaking on the launch of the report, Ms. Priyanka Aash, MD, CISO Platform said, “We have an index for understanding the state of the stock market, but there is nothing to measure the state of IT Security of the industry. We need something simple and understandable to know where we stand in terms of security posture. So, we have created CISO Platform Security Maturity Model (CPSMM) to solve this problem.”

CISO Platform has collected the data point of more than 400 companies in terms of the technologies adopted for securing their organizations over the last 3 years. Using Data Science, a formal model was built for computing maturity index. Each technology has been assigned a specific weight based on the importance. CISO Platform measured the capability maturity for each organization based on the above formula and also created average maturity index for various industry verticals. CPSMM is built to benchmark an organization against the capability of peers, so that one can understand if an organization is falling behind or is in pace with the rest of the industry. The model is particularly useful for the Board and the senior management so that they can have a data driven way to measure their security readiness, as well as create their strategic roadmap.

Key insights from the report
The sample data point in the report comprises of top 400 enterprises. Small and Medium sized organizations are not included in the sample.

India vs. Globe

  • Indian Enterprises are more than 80% at par with the USA in terms of adoption of Prevention or Detection technologies. However, they are less than 10% at par for Response and Predictive Technologies. In the field of IT security, it is impossible to secure everything, every time. So it is extremely critical to have effective measures to respond to a breach or predict a breach before it happens. India is far behind USA in terms of such readiness and capabilities like Incident response, Threat intelligence etc.

  • India is far behind in hiring IT Security Staff when compared globally: Average IT Security team size as a percentage to overall IT staff is less than 1% for all verticals in India, whereas recommended figure globally is 3-5%.

  • Maturity of India for one of the most trending security initiative i.e. Mobile Security is 35% whereas in US its almost 50%

  • Indian companies are not prepared for large scale Distributed Denial of Service (DDOS) attacks. Adoption of DDOS technologies is less than 50% compared to USA.

Vertical Wise Maturity

  • The security maturity Index for Large Scale Telecom emerged as the highest, with a score of 76.62 (out of 100). Major IT/ITES stood 2nd with 74.66, followed by Major BFSI (Banking and Financial Services) with score of 70.16.

  • The score for other major industry verticals are as follows: Financial Services (56.06), healthcare (53.13), Manufacturing (52.43).

  • Smaller BFSI emerged as the least secured vertical and has achieved a score of 44.95. Online and retails achieved a score of 51.52 is the second from the bottom.

Technology Adoption

  • With 56% companies planning to implement Mobile Security this year, it tops the IT security initiative of the year; IT GRC Management Tools bagged second rank with 50% and DRM ranked 3rd position with 40%.

  • Top 3 Mature Security Markets: Anti-spam/Anti-malware (98% implementation), Content Security (93% implementation) and Patch Management (87% implementation) are top 3 Mature IT Security market in 2015.

  • More than half of the companies in the sample data set, tested their IT security infrastructure once in a quarter. However the Indian Industry is highly price sensitive and often compromises on quality.

  • ISO 27001 tops the security compliance with 66% implementation by the companies in India across all verticals.

State of Online/E-commerce Security

  • Online and E-commerce companies rank the second lowest, with a score of 51.52 compared to the Large Scale telecom companies with a maturity of 76.62.

  • Online and E-commerce companies lack in terms of IT Security maturity and most of the companies do not have adequate protection against DDOS attacks or a well tested Incident Response Program. Most of the young e-commerce companies also lack in key security requirements like Secure SDLC, In Depth Penetration Testing during every release, Web Application Firewall (WAF), SIEM etc.

  • More than 90% of the e-commerce companies do not have a dedicated Chief Information Security Officer and typically their engineering head doubles up as the IT Security Head.

Biggest Risks for the Indian Industry

  • There is severe lack of awareness in terms of IT Security across all levels of the organization. The Board/CEO in a usual company does not consider Security as a top priority. The IT Security teams are generally not trained in emerging areas of security. India is at least 10 times behind USA in terms of adopting emerging IT Security technologies like CASB, Threat Intel and Containerization etc.

  • There is a lack of indigenous IT Security technology companies from India. India has produced less than 25 indigenous IT security product companies compared to more than 500 in USA. As a nation, we need to allocate more resources towards building security technologies.